This section describes search functionality that applies to all Carbon Black Cloud modules.

Important: Platform Search overrides the Lucene default.
  • Lucene by default assumes an OR if no operator is specified.
  • Platform Search by default assumes an AND if no operator is specified.

Default Boolean Operator

In Platform Search, if you do not include an operator, the default operator is AND.

If you omit an AND, NOT, or OR operator between search clauses, the query results will use an AND operator by default.

For example, the following queries are equivalent and provide the same result:

process_name:powershell.exe crossproc_name:ccmexec.exe
process_name:powershell.exe AND crossproc_name:ccmexec.exe

Negation

You can exclude a search query term by using one of three operators:

  • AND NOT
  • NOT
  • - (leading dash or minus sign character)

For example, the following queries are equivalent and provide the same result:

process_name:chrome.exe AND NOT netconn_domain:google.com
process_name:chrome.exe NOT netconn_domain:google.com
process_name:chrome.exe -netconn_domain:google.com

Special Characters

The following characters, as defined by Lucene, have special meaning when they appear in a search query:

+ () "
- {} ~
&& [] *
|| ^ ?
: /

Anytime you use these characters in a raw Lucene search, they must be escaped (that is, preceded with a backslash \ character).

However, if you use one of these characters in the middle of a field value, or the field value is wrapped in quotes, escaping the character is optional.

For example:

Works
regmod_name:\{4a15d1fe-35eb-ed8c-5d7b-0aaefad84326\}
Works
regmod_name:\{4a15d1fe\-35eb\-ed8c\-5d7b\-0aaefad84326\}
Does not Work
regmod_name:{4a15d1fe-35eb-ed8c-5d7b-0aaefad84326}

Wildcards

You can leverage wildcards when searching for filenames that have specific file extensions. For many fields, searching for the file extension works efficiently without wildcards.

For example:

  • process_name:.exe finds all processes with names that have an .exe extension.
  • process_cmdline:.txt finds all processes that have command lines with a .txt extension.
Important:
  • Avoid using a leading wildcard such as process_name:*.exe or regmod_name:*Windows*. This is computationally expensive, can impact the performance of this and other searches for your organization, and is redundant.
  • Wildcards do not work if you quote the value. After you surround a string in quotes, wildcards between the quotation marks are ignored. If you do not include the quotes and escape properly, you can use wildcards in value search.
    Works
    process_name:c\:\\windows\\temp\\inv*_tmp\\*
    Does not Work
    process_name:"c:\\windows\\temp\\inv*_tmp\\*\\invcol.exe"
  • Leading wildcards are implied.
    Works
    process_name:Microsoft\ Office\\*
    Does not Work
    process_name:**\Microsoft Office\**
    Does not Work
    process_name:"Microsoft Office"

Fuzzy Search

Fuzzy search is a way of searching for terms that are spelled similar to, but not the same, as the terms in the index. The trailing ~ (tilde) character invokes the fuzzy search capability.

For example, searching for process_name:svch0st.exe~ returns the same results as if you searched on process_name:svchost.exe.

Note:
  • Fuzzy search can be applied to all string fields (see Search Fields).
  • Fuzzy search does not work for numeric fields, date fields, or IP address fields.
  • Fuzzy search only works on terms, not on phrases. For example, if you perform a fuzzy search for a single term in process_cmdline, as long as that term does not contain a delimiter that is used to split apart command line tokens, the fuzzy search will work.

To specify a distance parameter, append an integer between 0 and 2. For example:

process_name:svch0st.exe~2 works the same way as process_name:svch0st.exe~

The netconn_domain search field is a special case. Fuzzy search only works on the FQDN, not on substrings or variants of the FQDN.

For example:

If the indexed netconn domain is... Works Does not Work
google.com
netconn_domain:g00gle.com~
netconn_domain:g00gle~
www.google.com
netconn_domain:www.g00gle.com~
netconn_domain:g00gle.com~
netconn_domain:google.com~
Note: You can search for any part of a domain without using fuzzy search, but you must include the FQDN when using fuzzy/regex/wildcard searches.

For details on how the distance parameter works, see https://www.elastic.co/blog/found-fuzzy-search.

Escaping

You must escape for any regex (regular expressions), and then escape for Lucene. For example:

  • On the Investigate page, you can search for files with double extensions such as document.doc.exe that has this regular expression query.

    In the following example, note that the double backslash is used to enable you to search for the \ character.

    process_name:/[^\\/]+\\.[^\\/]{2,3}\\.[^\\/]{2,3}/
  • On the Enterprise EDR Watchlist page, you must ensure that every query term is escaped properly, especially for spaces, so that all terms appear at Key:Value pairs, and there are no unpaired terms in the query.

    For example:

    Does not Work as a Watchlist IOC
    childproc_name:schtasks.exe -childproc_cmdline:C\:\\WINDOWS\\System32\\schtasks.exe Vquery Vtn (724_*)

    The strings Vquery, Vtn, and (724_*) are treated as unpaired terms due to the unescaped spaces after schtasks.exe.

    Works as a Watchlist IOC
    childproc_name:schtasks.exe -childproc_cmdline:C\:\\WINDOWS\\System32\\schtasks.exe\ Vquery\ Vtn\ (724_*)

Parentheses

Placement of parentheses in a multi-term query can have a significant effect on what is matched.

For example:

(netconn_inbound:false AND netconn_ipv4:0.0.0.0)

Returns all processes that have outbound traffic to 0.0.0.0.

((netconn_inbound:false) AND netconn_ipv4:0.0.0.0)

Returns all processes that have made an outbound connection but have also had inbound or outbound traffic with 0.0.0.0.